Last edited: May 01, 2025
SCARB (“Website”, “Application”, “we”, “our”, “us”) welcomes you! Since you have just moved to our Privacy and Cookies Policy, we recommend that you take a short break and carefully read this text.
This Privacy and Cookies Policy (“Policy”) defines how the SCARB digital product – the website at https://scarb.co/ and the SCARB mobile application (hereinafter collectively referred to as the “Website/Application”), administered by Effiz LLC, is used.
Our Privacy and Cookies Policy explains how we collect, use and protect the data we collect from you when you use the Website/Application. By using the Website/Application, you acknowledge that you have read and understood these Terms of Use and the Privacy and Cookies Policy, and that you agree to all of the terms set forth herein.
If you do not agree (or cannot agree) to the Terms of Use or this Policy, you do not have the right to use the Website/Application. Please inform us of your disagreement in any way specified in section 16. CONTACTS of this Policy. This Policy applies to all users of the Website/Application (both employees using the mobile application and authorized representatives of employers using the SCARB HR panel).
Thank you for your understanding and responsible attitude!
PERSONAL DATA – information or a set of information about an identified or specifically identifiable natural person.
COOKIES are small files that are stored on your device (computer or mobile device) when you visit websites or use applications.
DATA RECIPIENT (CONTROLLER) – a natural or legal person to whom personal data is provided (including a third party). For the purposes of this Policy, we act as the Recipient (Controller) of your personal data.
DATA PROCESSOR – a natural or legal person who is authorized by the data controller or by law to process personal data on behalf of the controller. We may engage third parties as processors to process data on our behalf.
DATA SUBJECT – a natural person whose personal data is processed. USER – a natural person who uses the Website/Application. The User is the Data Subject.
HR-PANEL – a web interface of the SCARB administrative panel, intended for authorized representatives of the employer (HR managers) to view summarized data and analytics on the psychological state of employees.
GDPR – General Data Protection Regulation (Regulation (EU) 2016/679), which sets out requirements for the processing of personal data of EU/EEA residents.
CCPA – California Consumer Privacy Act, which establishes rules for the processing of personal data of residents of the state of California, USA.
DPA – Data Processing Agreement – an agreement between a controller and a processor that regulates the processing of personal data.
SCC – Standard Contractual Clauses – standard clauses approved by the European Commission to ensure an adequate level of protection of personal data during their international transfer.
TIA – Transfer Impact Assessment – an assessment of the risks to personal data when transferring it to countries that do not provide an adequate level of protection.
Personal Data. In the course of using the Website/Application, you may provide us with information by which you can be identified or contacted. Such Personal Data includes, but is not limited to:
Usage Data. We may also automatically collect certain data from your browser or device when you use the Website/App ( Usage Data ). Such data generally does not allow us to directly identify you, but may be considered personal when combined with other information. Usage Data may include:
Cookie Data. We use Cookies and similar tracking technologies to improve the functionality of our Website/Application and your experience. Cookies are small text files sent by our service and stored on your device. Cookies may collect and store certain information about your use of the Website/Application, such as your preferences or login status.
You can set your browser to refuse all Cookies or to notify you when Cookies are being sent. However, please note that if you disable Cookies, some parts of our Website/Application may not function properly or may become inaccessible.
Examples of Cookies we use:
Note on third-party Cookies: Some Cookies may be set by third-party services with which we cooperate (for example, Google). We are not responsible for the Cookie policies of third-party sites and we recommend that you read their privacy policies (see section 13. LINKS TO THIRD-PARTY WEBSITES ).
SCARB uses the collected data for a variety of purposes, including:
We process your personal data on the lawful grounds provided for by applicable data protection legislation. Depending on the specific situation, various data operations may be carried out on the basis of your consent, the necessity to perform a contract (to provide you with services in accordance with the Terms of Use), the fulfillment of our legal obligations, as well as on the basis of our legitimate interest (for example, in maintaining the security and integrity of the service). If you would like to receive more information about the legal grounds for processing specific categories of data, please contact the contacts specified in section 16. CONTACTS .
We retain your personal data only for as long as is necessary to achieve the purposes set out in this Policy, unless a different retention period is required by law. This means that your information will be retained as long as you use our Website/App and have an active account, as well as for a reasonable period after your account has been deactivated (for example, to comply with legal obligations or resolve potential disputes).
Retention periods may depend on the type of data:
Once the need to process your data is no longer necessary, or upon receipt of a justified request for deletion, we will delete or anonymize your personal data. Anonymization means that all identifying elements are irreversibly removed and the data is no longer associated with you.
Please note that it may take additional time to completely delete your data from our backups and archives. We may also retain the minimum information necessary after your account is deleted if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements (for example, to retain consent information or support history).
The main server facilities on which the collected data is stored and processed are located in Ukraine. However, given the global architecture of our infrastructure (we use Digital Ocean cloud services with points of presence in different regions - USA, Europe, Asia, Australia, Canada), your data may be transferred, stored or processed outside the country or jurisdiction of your residence. This means that in certain cases your personal data may end up on servers located in another country, where data protection laws may differ from the laws of your jurisdiction.
We are aware of the risks associated with international data transfers and take the necessary measures to ensure an adequate level of protection for your information, regardless of where it is processed . In particular:
Your use of the Website/Application and provision of information to us is deemed to constitute consent to such international data transfer, storage and processing (to the extent such consent is required by law). We guarantee that regardless of the place of processing, your personal data will be subject to the protection measures described in this Policy. If you require additional information on the mechanisms for international transfer of your data, please contact us at the contacts specified in section 16. CONTACTS .
We do not sell or transfer your personal data to third parties, except as expressly provided for in this Policy or by law . In certain situations, we may need to disclose (transfer) your data to a limited number of recipients. Such cases include:
In all cases of data disclosure, we adhere to the principle of minimum sufficiency: we provide third parties with only the amount of information that is actually necessary for a specific purpose. We do not provide your personal data to any unreliable or unauthorized recipients.
We pay great attention to ensuring the security of your personal data. To protect information from unauthorized access, modification or destruction, we have implemented a set of technical and organizational security measures in accordance with the best industry practices. In particular:
While we do our best to protect your data, it is important to understand that no method of transmission over the Internet or method of electronic storage is 100% secure . This means that despite our efforts, we cannot guarantee the absolute security of your information. If, despite the measures taken, a leak or incident occurs with your data, we will notify you immediately (in accordance with legal requirements) and do everything possible to minimize the negative consequences.
We also encourage you to take steps to protect your data: keep your credentials confidential, use complex passwords, and do not transmit information, the disclosure of which could cause you significant harm, through unsecured channels. If you suspect that your account has been compromised or if you notice any vulnerability or security issue on our Website/Application, please notify us immediately (see section 16. CONTACTS ).
We strive to provide you with full control over your personal data. If you are a resident of Ukraine, we guarantee the exercise of the rights of the data subject stipulated in the Law of Ukraine “On Personal Data Protection”. If you are located in the territory of the European Union or the European Economic Area (EU/EEA), you also have rights defined by the General Data Protection Regulation (GDPR). Below are described your main rights regarding personal data, which you can exercise:
To exercise any of the listed rights, you can contact us at any time - it is enough to send the relevant request to our email address or postal address specified in section 16. CONTACTS . For some requests (for example, a request for access or deletion), we may also provide you with a convenient tool through your account or a special form.
Identity Verification: In order to exercise your rights, we may need to verify your identity to ensure that you are the data subject. This prevents unauthorized access to your information by others. For example, we may ask you to make a request from the email address associated with your SCARB account or to provide additional information for verification.
We will make every effort to respond to your request within 30 days of receipt. This period may be extended by an additional 30 days in the event of a complex request or a large number of simultaneous requests - in which case we will inform you of the extension and the reasons for the delay.
Refusal to comply with a request: In some cases, we may lawfully refuse to comply with your request (in whole or in part). This will only happen if the request in question is unfounded or excessive (for example, repeated without substantial reason) or if we have a reasonable right to refuse the request in accordance with the law. In the event of a refusal, we will be sure to explain to you the reason for such refusal and inform you of the possibilities of appeal.
You also have the right to lodge a complaint with the competent Data Protection Authority . If you are located in Ukraine, this authority is the Commissioner for Human Rights of the Verkhovna Rada of Ukraine (Ombudsman) or another authority designated by law. If you are located in the EU/EEA, you can lodge a complaint with the national data protection authority of your country or the country where the infringement occurred. The contact details of the national authorities are available on the official website of the European Commission or at the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you are located in California, you can exercise your rights under the CCPA (see section 10. RIGHTS OF CALIFORNIA RESIDENTS below).
We would appreciate it if you would give us a chance to resolve the issue directly before contacting regulators. You can always write to us first about your concerns and we will try to resolve the issue promptly to your satisfaction.
If you are a resident of the state of California (USA), you are subject to the California Consumer Privacy Act (CCPA) and related regulations. We are committed to complying with the CCPA when processing personal information of California residents. In particular, you have the following rights with respect to your information:
To exercise your rights under the CCPA, you or your authorized representative may send us a verified request (see 16. CONTACTS for contact information). In order to verify your identity upon receipt of your request, we may ask you to provide certain additional information (to ensure that you are the data subject). Requests from an authorized representative must be accompanied by proof of authority (for example, a notarized power of attorney or other document confirming the authority to act on your behalf).
If you have any questions about your rights under the CCPA or about how we process personal information of California residents, please contact us using the contact information in section 16. CONTACT US . We have prepared this Policy with the requirements of the CCPA in mind, so the sections devoted to the categories of data collected, purposes of use, transfer to third parties, etc. also satisfy the transparency requirements under the CCPA.
To ensure the operation of our service, we may engage third-party companies and individuals who process your personal data on our behalf ( third-party processors or subcontractors ). This is done to facilitate the provision of our Services and to perform certain functions (as described in section 7. DATA DISCLOSURE ).
These third parties are granted access to your personal data solely to perform the specific tasks we assign to them and are required not to disclose or use this data for any other purpose. In other words, our service providers do not have the right to decide how to process your data – they act only within the framework of our instructions and the terms of their contract with us.
We carefully select the partners we entrust with data processing and enter into appropriate data protection agreements (DPAs) with them . These agreements set out strict obligations regarding confidentiality and security. In particular, our processors are obliged to implement the necessary technical and organizational measures to protect personal data, to notify us immediately of security incidents, to assist us in responding to requests from data subjects, etc.
Examples of categories of third party processors that we may engage include: cloud platforms (for hosting), email or SMS services, analytics services, performance monitoring services, payment providers, cybersecurity consulting firms, etc. All of them are subject to these agreements and our control.
We do not authorize any processor to engage sub-processors without our consent . If any of our suppliers chooses to engage an additional party to assist in processing your data, they must first obtain our consent and enter into the same strict data protection obligations with the sub-processor.
List of the main third-party services we use:
(The above list may change as our product evolves; we will update the Policy if we begin using significantly new processor categories).
To reiterate: Your data remains our responsibility even when processed by third parties. We monitor and are responsible for ensuring that our processors adhere to privacy standards that are at least as high as those in this Policy.
We may use third-party services to monitor, collect and analyze statistical data about the use of the Website/Application. Such analytics help us better understand user behavior, assess the popularity of certain features and improve the product.
Google Analytics. One of the main analytical tools we use is Google Analytics, a web analytics service provided by Google. Google Analytics collects information about visits and user activity on our Website/Application using Cookies and similar technologies.
The collected data (e.g. data about your device, pages visited, session duration, geographical location at city level, if available) is transmitted to Google servers in an anonymized form. Google uses this data to evaluate the use of our Website/Application and to generate reports for us. The reports we receive from Google do not contain information that directly identifies you - they are aggregated in nature (e.g. total number of users over a certain period, average time spent on the page, etc.).
Google may use the data collected by Google Analytics to improve its own products and services, as well as to personalize ads on its advertising network. For example, data about your visits may affect which ads you see when you search on Google or on YouTube. Important: We do not transfer any sensitive personal data (such as your entries or any information that identifies you by name) to Google Analytics. Google Analytics only receives technical and anonymized information about the use of the application.
You can learn more about Google's privacy practices in the Google Privacy Policy: https://policies.google.com/privacy?hl=uk. We also recommend that you read information about how Google uses data when you use their partner sites or apps: https://policies.google.com/technologies/partner-sites.
How to opt out of Google Analytics: If you do not want Google Analytics to track your activity on our Website/App, you have several options. First, you can disable the storage of Cookies in your browser (see section 3. Cookie data ), although this may affect other features. Second, Google offers a special opt-out module – the Google Analytics Opt-out Browser Add-on , which you can install in your browser (available at the link: https://tools.google.com/dlpage/gaoptout). This tool will not allow the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) to share information with Google Analytics about your visit activity. On mobile devices, you can also limit tracking by enabling the “Limit Ad Tracking” option (for iOS) or “Opt out of Ads Personalization” (for Android) in your phone’s privacy settings – this will reduce the collection of data for advertising and analytical purposes.
Other Analytics Tools. At the time of this Policy's last update, we do not use any third-party analytics services other than Google Analytics. If we decide to add a new analytics or tracking tool in the future, we will update this Policy and (if necessary) ask for your consent if such tool collects personal data beyond the purposes described here.
SCARB is a unique platform that serves two categories of users: (1) employees who use the mobile application to self-monitor and improve their mental health; and (2) employers/HR managers who use the analytical dashboard to gain insight into the overall health of the team and manage the well-being program. This section describes how the privacy principles apply in a corporate context and what obligations the parties have.
Roles of the parties in data processing. When using SCARB in a corporate environment, we usually act as a Data Processor in relation to the personal data of employees collected through the application, while the employer (client company) acts as a Data Controller of such data. This means that the employer company determines the purposes of using the data (improving employee well-being, analytics for HR, etc.), and we act solely in accordance with its instructions, providing a technical data processing service. At the same time, for certain aspects (e.g. product improvement, general service analytics) we may act as an independent controller - however, in such a case we continue to comply with all the guarantees described in this Policy.
Data Processing Agreement (DPA). With each corporate client (employer), we conclude a separate Data Processing Agreement , which regulates our obligations as a processor and ensures compliance with the requirements of Article 28 of the GDPR (if applicable). This agreement contains provisions on confidentiality, security measures, the procedure for assisting the controller in fulfilling data subjects' requests and reporting incidents, etc. In other words, the DPA guarantees that the personal data of your company's employees will be processed by us strictly within the framework of the assigned tasks and with an appropriate level of protection. Upon request, we are ready to provide a copy of a model DPA for review.
Data available to the employer. By default, HR managers and authorized persons of the employer who have access to the SCARB panel see only aggregated, depersonalized information about the team. For example: the overall level of involvement in the program (percentage of employees actively using the application), the average well-being index by company or divisions, the main stress factors based on surveys, etc. We apply an “anonymity threshold” - the minimum number of participants for forming group data (usually at least 5-10 people in the group) to exclude the possibility of guessing about a specific person. Thus, the confidentiality of the individual results of each employee is ensured.
Personal notifications. In some cases, the purpose of the service - preventive support for employees - may require the transfer of certain information about a specific employee to the employer. For example, if the system records that the condition of a certain employee has critically deteriorated (exacerbation of burnout symptoms, extremely low mood for a long time, etc.), SCARB can generate a notification for HR with a recommendation to hold an individual meeting with this employee or offer him help. Such notifications include personal data (name or unique identifier of the employee) - without this it is impossible to provide targeted support. We want to assure you that such functionality is activated only under the conditions of: (a) your explicit consent (the employee himself agrees to the possibility of such notifications during registration or in the privacy settings); (b) or if such data exchange is expressly provided for by the contract between us and the employer, and complies with the company's labor policies and legal requirements. In any case, such data is transferred to a limited number of persons (for example, only to the head of the HR department or a corporate psychologist), who are obliged to maintain their confidentiality.
Employer Responsibilities. The client company implementing SCARB for its employees is responsible for properly informing employees and obtaining the necessary consents (if required) for the processing of their personal data within the framework of this platform. The employer must familiarize employees with this Policy and its own internal policies on well-being support programs (if any). In addition, the employer is obliged to use the data obtained through SCARB only for the purpose of caring for the well-being of employees and improving the efficiency of the work environment , and not for punitive or discriminatory measures. Any attempt to use information from SCARB to make adverse disciplinary decisions regarding an employee without their knowledge and consent may be considered a breach of trust and data protection legislation.
Confidentiality at HR level. Individuals who have access to the SCARB HR dashboard must adhere to the same strict confidentiality principles as we do. This means that HR managers are prohibited from disclosing any information received through the platform to other employees or third parties, except in cases of business necessity and in accordance with internal company policies. For example, if HR receives an anonymized report on stress in a department, they can discuss the general findings with management, but should not attempt to identify individuals or discuss assumptions about specific employees publicly. If HR receives a personal notification about an individual employee, this information should be handled sensitively and confidentially - in particular, it is recommended to first communicate directly with that employee or the corporate psychologist, and not to disseminate this information more widely.
Access restrictions. We provide each corporate client with the ability to independently manage access to the HR panel (issue logins for certain individuals, assign roles with different data viewing rights). The company is obliged to maintain an up-to-date list of individuals who have such access and immediately revoke access if a certain employee is no longer authorized (for example, has resigned or been transferred to another position). We recommend protecting HR accounts with two-factor authentication and not using common logins for several individuals - this will increase security and access auditing.
Responsibility for maintaining confidentiality. If the employer or its representative (HR) violates the obligation to maintain the confidentiality of employee data (for example, transfers data to third parties without permission, or uses data for purposes other than its intended purpose), the employer as the controller is responsible for such a violation. We, for our part, are ready to assist in the investigation of the incident and will provide all necessary information to restore confidentiality and trust.
In summary: user privacy is our top priority , and this applies to both individual employees and corporate clients. We implement SCARB in a way that benefits both employees (by improving their well-being) and employers (by giving them tools to take care of their team), without violating ethical and legal privacy standards. If you, as an employer representative or as an employee, have any questions about the use of data in SCARB, please contact us for clarification (contacts are in section 16. CONTACTS ).
Our Website/App may contain links to third-party websites or services that are not operated by us. For example, the resources section may link to an article on an external website, or the app interface may link to a partner platform.
Please note that we do not control the content, privacy policies, or practices of third-party websites . If you follow a link to a third-party site, our Policy no longer applies to you. While on a third-party resource, you are subject to the terms and privacy policies of that resource.
We are not responsible for the content and actions of such third-party websites. The presence of a link does not imply our approval or guarantee of the safety of that resource. You acknowledge and agree that SCARB (Effiz LLC) shall not be liable, directly or indirectly, for any damage or loss caused by the use of any such third-party content, goods or services available on such third-party websites.
We recommend that you: when accessing third-party resources, always review their privacy policies and terms of use to understand what information they collect about you and how they use it. If you have any questions or concerns about a third-party site, please ask them directly to the administrators of that site.
Our Website/App is intended only for persons who are 14 years of age or older . We do not knowingly collect personal data from children under 14 years of age without the consent of their parents or legal guardians.
By using SCARB, you represent and warrant that you are at least 14 years of age and that you have full legal capacity and capacity to accept these terms and use the service. If you are not yet 14 years of age, or if you do not have sufficient legal capacity to enter into such agreements, you are prohibited from using our Website/Application. In such case, please stop using the service immediately.
If we become aware that a person under the age of 14 has provided us with their personal data without appropriate permission, we will take steps to delete that information. Parents or guardians who discover that their child (under the age of 14) has registered with our application can contact us (via the contacts below) and we will help delete the relevant data.
For users aged 14 to 18: Considering that the age of majority under Ukrainian law is 18, we expect that minor users (aged 14-17) have obtained parental consent to participate in the corporate wellness program (if applicable) or have informed their parents about the use of SCARB. However, we do not require written parental consent, as Ukrainian law allows individuals aged 14 and over to independently consent to the processing of their personal data in certain cases. We interpret your acceptance of this Policy and use of the service as confirmation that you are legally competent and have the appropriate authority (including, where necessary, parental or employer consent) to use SCARB.
We reserve the right to make changes to this Policy from time to time. Our terms and data processing practices may change in response to new features, changes in legislation, or improvements to our security procedures. Therefore, we may periodically update the text of the Policy to reflect these changes.
How we will notify you of changes: If we make any changes, we will post a new version of the Policy on this page, with an updated “Last revised” date at the top of the document. If the changes are material, we will make the notice more prominent – for example, through a banner on our website or a notification in a mobile application. In cases where the changes may significantly affect your rights or the way we use your data, we may also send you a personalized email message (to the address specified in your account) describing the changes.
We recommend that you periodically review this Policy to ensure you are always aware of the current version. Your continued activity or use of the Website/Application after the changes become effective means that you accept and agree to the updated Policy.
If you do not agree to any changes to the Policy, you must stop using SCARB and (if desired) you may contact us to request that we delete your personal data.
We welcome your questions, comments and requests regarding this Policy and our data processing practices. If you have any questions, would like to exercise your rights under Section 9 , or have suggestions for improving our privacy practices, please contact us using any of the methods below:
Our Data Protection Officer (DPO) will review your request and respond within a reasonable time frame (usually no more than 30 days). We appreciate your concern about privacy and are always ready to help ensure transparency and control over your data when using SCARB.